Kali Linux is not one of the officially supported distros by the ZeroTier installer script, so if you just try to use it you will get an error message along the lines of:

FAILED: unrecognized or ancient distribution: kali-rolling

Kali Linux is based on Debian testing, so we can just “trick” the ZeroTier install script into thinking it’s Debian and it installs just fine:

# save /etc/debian-version
# (which will be something like kali-rolling)
DV_SAVE=$(cat /etc/debian_version)
# pretend we're Debian buster
echo buster | sudo tee /etc/debian_version >/dev/null
# follow ZeroTier install instructions from:
# https://www.zerotier.com/download/
# for example, if you don't care about checking gpg signatures:
curl -s https://install.zerotier.com | sudo bash
# restore /etc/debian-version
echo $DV_SAVE | sudo tee /etc/debian_version >/dev/null

(image taken from https://nakedsecurity.sophos.com/2019/07/09/backdoor-discovered-in-ruby-strong_password-library/)

This article is a result of playing SANS NetWars Continuous level 5 (attack/defense) for several weeks. When you get access to opponent’s machine, it is highly desirable to leave backdoors that allow you to get back in once your access is blocked. Below, I’m describing some of the techniques I’ve used for persistence purposes. The techniques, albeit effective, are very simple, mostly use the features of the OS and services, and do not cover any advanced topics like rootkits.

1. SSH keys

This is useful if you can access SSH service on the machine. SSH keys are a secure and convenient way to…


I’ve been experimenting with xxelab (https://github.com/jbarone/xxelab), a simple PHP web app demonstrating XXE attacks, trying to replicate code execution through expect:// PHP wrapper. (Shameless plug — my recently submitted pull request allows you to run xxelab in a Docker container). This technique is well described in a number of articles on the Internet, for example here:

Or here:

https://www.gardienvirtuel.ca/fr/actualites/from-xml-to-rce.ph

The idea is that you provide a reference to expect://id pseudo URI for the XML external entity, and PHP will execute id and return the output of the command for external entity substitution.

Turns out it was quite a lot of…


I was recently configuring Docker on a machine that didn’t have direct access to the Internet and had to use proxy for outbound connectivity, and it turned out to be a non-trivial task. All of this info is scattered around the Internet, I’m just bringing it all together. Here’s the steps to get everything working:

  1. Proxy for the command line
  2. Proxy for apt
  3. Proxy for Docker daemon
  4. Proxy for Docker build and Docker Compose

This article has been written for Ubuntu Linux and might need tweaking for other distros.

Proxy for the command line

This part is as easy as setting the following environment variables…


On occasion you need to listen for incoming connections and interact with the data being sent by the client. Most simple way might be with netcat (12345 is the port number to listen to):

$ nc -lvnp 12345

(-l for listen, -v for verbose, this will let you know once a connection is received, -n tells netcat not to resolve host and port names, -p indicates the port to listen on)

When you need to accept a TLS/SSL connection, things get a bit more complicated as regular netcat doesn’t support it.

Option 1 — ncat from nmap

nmap includes a version of netcat called ncat that…


I just released cms2cmd, a CMS plugin that can be used with Drupal 7, Drupal 8, Joomla and Wordpress as a simple command execution mechanism.

Occasionally during a CTF (or a pen test?) you might gain admin access to a CMS, which in most configurations gives you RCE. cms2cmd is a clean (i.e. no need to change templates or otherwise “break” the CMS instance) and simple command execution plugin that works for a number of various CMS systems (current version has been tested on Drupal 7, Drupal 8, Joomla 3.x, and Wordpress 3.9.x).

The same mod_cmd.zip file is recognized as…


Background

To connect to a database, Java applications usually use JDBC framework. Part of the framework is JDBC drivers, that are usually supplied by the DMBS vendor. Applications would often require administrator to download the needed JDBC driver separately due to the licensing restrictions not allowing the software vendor to redistribute the driver with their software.

Some software would allow administrator to upload the JDBC driver through the UI to make the configuration process easier. The software then places the driver into the appropriate directory so it can be used at runtime. By doing that, the application essentially allows upload of…


I like seeing CPU load on my boxes, so pretty much all of them have some sort of CPU load gadget enabled on startup. I noticed every time I have to configure this on a Kali box I’m struggling to remember the package names for what I have to install, so having done it today I decided to do a write this so I don’t have to struggle next time.

It’s fairly simple, really:

  • Install gnome-shell-extension-system-monitor package (doesn’t require addition of PPA compared to indicator-multiload):
# apt update
# apt install gnome-shell-extension-system-monitor
  • Open Tweaks (either find it in the menu under Applications -> Usual Applications -> System tools -> Preferences, or press the Windows key and type tweaks to search for it).
  • Select Extensions, enable System-monitor, click on the gear and set your preferences.
  • Enjoy.

Let’s tackle the Protostar Format 4 challenge from Exploit Exercises (https://exploit-exercises.com/protostar/format4/). This is a detailed step-by-step walkthrough explaining all the tools and techniques needed — we’ll be writing a format string exploit.

Format 4 Challenge

Here’s the source code for the challenge, format4.c:

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int target;void hello()
{
printf("code execution redirected! you win\n");
_exit(1);
}
void vuln()
{
char buffer[512];
fgets(buffer, sizeof(buffer), stdin); printf(buffer); exit(1);
}
int main(int argc, char **argv)
{
vuln();
}

The program reads a string from the standard input and passes it to printf. …


Having previously tackled the last stack challenge in Protostar from Exploit Exercises (https://medium.com/@airman604/protostar-stack7-walkthrough-2aa2428be3e0), we’re now switching to the last heap challenge (https://exploit-exercises.com/protostar/heap3/).

Heap 3 Challenge

Here’s the source code for the Protostar Heap 3 challenge:

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
void winner()
{
printf("that wasn't too bad now, was it? @ %d\n", time(NULL));
}
int main(int argc, char **argv)
{
char *a, *b, *c;
a = malloc(32);
b = malloc(32);
c = malloc(32);
strcpy(a, argv[1]);
strcpy(b, argv[2]);
strcpy(c, argv[3]);
free(c);
free(b);
free(a);
printf("dynamite failed?\n");
}

The goal is to call the winnder() function. As strcpy is used, it…

Airman

Random rumblings about #InfoSec. The opinions expressed here are my own and not necessarily those of my employer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store